DevOps Engineering part 6. – Infrastructure as code

Terraform

If you use Terraform in the corporate environment your company most likely has multiple AWS accounts. One for pre-production, one for production.

To be able to work in multiple AWS accounts, add those keys to the credentials file at C:\Users\YOUR_USERNAME\.aws

[aws01]
aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01

[aws02]
aws_access_key_id = MY_ACCESS_KEY_FOR_AWS02
aws_secret_access_key = MY_SECRET_KEY_FOR_AWS02

[default]
aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01

We will use Terraform to create security groups and load balancers in AWS.

  • Create a folder on your workstation for the Git repositories C:\Git
  • In the Git folder create a folder for the Terraform Configurations Terraform Configs
  • In the Terraform Configs folder create a sub-folder for the

When you are reusing existing Terraform configurations

  • Make a copy of the existing Terraform Config folder
  • Rename the folder
  • Rename the .tf files to match the name of the folder name
  • Delete the .tfstate and .tfstate.backup files
  • Update the .tf files with the new values
  • Open a Bash window in the new folder
  • Get the Terraform modules with 
    terraform get -update
  • Test the script with 
    terraform plan
  • Execute the script with 
    terraform apply

More info on Terraform at https://www.terraform.io/docs/providers/index.html

 Next:

Launching production instances in the cloud in Beginner’s Guide to DevOps Engineering part 7.

Back:

to the Tutorials page

Enable user to import projects in TeamCity

It is not enough to belong to the “System Administrator” group to be able to import projects from backup  in TeamCity. The user has to be in the “System administrator” role for the “Root project”.

To enable the user to import projects into TeamCity

  • Click the Administration link in the upper right corner
  • In the User Management section click Users
  • Click the user name in the list
  • On the Roles tab click the + Assign role button
  • Set the Role to System administrator
  • Set the Scope to Root project
  • Select the Replace existing roles with newly selected check box and click the Assign button

DevOps Engineering part 5. – Create an enterprise cookbook

In this exercise we will create a Chef cookbook for a corporation. It will be robust and include all the necessary elements to be used in a large enterprise. If your company already has established standards, as you progress with this tutorial, copy the appropriate file from an existing cookbook. If this is the first cookbook in your organization, or you don’t want to follow the current standards, copy the sample files from this page.

Create the cookbook

  • Navigate to the C:\Chef\…\cookbooks folder and open a Bash window
  • Create an empty cookbook 
    chef generate cookbook COOKBOOK_NAME

    Chef creates a new sub-folder with the name of the cookbook.

  • Rename the new folder to cookbook-COOKBOOK_NAME to distinguish it in version control from other repository types.

Update the .gitignore file

  • Chef DK has generated a .gitignore file that contains most of the important entries, but we need to add a few important lines: 
    # Certificates
*.pem

# Unencrypted Data Bags
data_bags_unencrypted/

# Macintosh folder custom attribute file
.DS_Store

# If working in a team, personalized Test Kitchen config file 
.kitchen.yml

Update the metadata.rb file

Add your name, email address, and the version of the cookbook to the top of the metadata.rb file

name 'THE_NAME_OF_THE_COOKBOOK'
maintainer 'YOUR_NAME'
maintainer_email 'YOUR_EMAIL_ADDRESS'
license 'All rights reserved'
description 'Installs/Configures THE_NAME_OF_THE_COOKBOOK'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '1.0.0'

The expression in the long_description line refers to the README.md file that GitHub can create when you set up a new repository. Place the cookbook related information into that file, so others who want to use your cookbook can easily find it.

Update the Berksfile

Add the list of cookbooks this cookbook depends on to the Berksfile file. To download all necessary cookbooks execute

berks install

Update the .kitchen.yml file to be able to test your cookbook.

If you want to test your cookbook in the Cloud, copy the following sections from an existing .kitchen.yml file of your organization. To learn Chef and launch instances with Vagrant on your workstation, the automatically created .kitchen.yml file is perfect.

  • driver
  • provisioner
  • platforms
  • a suite as an example

If your organization use tags to track instances in the Cloud,  update the tags section to reflect the values of the cookbook.

To add multiple recipes to the Chef run list use this syntax:

run_list:
  - recipe[COOKBOOK_NAME1::RECIPE_NAME]
  - recipe[COOKBOOK_NAME2::RECIPE_NAME]

Encrypted Data Bags

If you want to use encrypted data bags, ask your Chef administrator to send you the key file to encrypt and decrypt data bags. Create the data_bags_unencrypted folder for the data bag secret key on the same level where the cookbook and environment folders are.

This is a chicken and egg paradox. We don’t want to commit secrets into version control, so we need to encrypt them. But how can we place the secret encryption key on the server to decrypt the secrets? We will use Packer to create our own server images that will contain the secret key, so when Chef starts to run on the server, the key is going to be there.

Default recipe

We will place code in the default.rb file that is common to all recipes in the cookbook. All custom recipes will call the default recipe as the first step.

Update the header comments of the default.rb recipe with your name and company information

#
# Cookbook Name:: COOKBOOK_NAME
# Recipe:: default
#
# Author:: YOUR_NAME (<YOUR_EMAIL_ADDRESS>)
# Copyright (c) 2015-2016 COMPANY_NAME, All Rights Reserved.

Attribute file

Create the default attribute file with

chef generate attribute default

Add the necessary attributes to the attribute file to store the AWS tag and other cookbook specific values.

Custom recipe

Use the Chef generate command to create the new recipes. It creates all test files in the corect location.

  • Create a new recipe and the test files with 
    chef generate recipe MY_RECIPE_NAME
  • Add the following line under the header to call the default recipe, even if it is currently empty 
    include_recipe 'COOKBOOK_NAME::default'

Add the cookbook to GitHub

Create the local repository

  • In the Bash window execute the following commands
git init
git add .
git commit -m "Initial commit"

Add the repository to GitHub

In your web browser log into your GitHub account and create a new repository

  • Click the New Repository button
  • Name the repository the same as the name of the folder of the cookbook (cookbook-…)
  • Execute the lines in the section …or push an existing repository….  If you work on a Windows workstation make sure HTTPS is selected 
    git remote add origin https://github.com/....git
git push -u origin master
  • In the Collaborators & teams section of Settings select the group who will have access to the new repository

Test the cookbook

In the Bash window launch the instance with Test Kitchen

List the available instances

kitchen list

Launch the instance

kitchen converge STRING_UNIQUE_TO_THE_INSTANCE

If there are multiple suites or platforms in the .kitchen.yml file you need to type the unique part of the name of the instance to identify it.

Start a Remote Desktop connection to a Windows instance

kitchen login STRING_UNIQUE_TO_THE_INSTANCE

If you work on a Macintosh workstation and testing a Windows server, the best way to remote into the server is

  1. Install Microsoft Remote Desktop for free from the Apple App Store (See the Remote Desktop Client section in Install the DevOps development tools on Macintosh,
  2. Execute the kitchen login STRING_UNIQUE_TO_THE_INSTANCE command in the terminal window,
  3. The Microsoft Remote Desktop window will pop up with the User account name and the IP address. If you click “Connect”, the remote connection opens with the default settings, that are may not optimal for your display. The “login” command already created a new entry in the Microsoft Remote Desktop app with the IP address of the instance. To use custom settings, click Cancel,
  4. Open the Microsoft Remote Desktop app, right click the last entry that contains the IP address, select Edit, and copy the IP address to the clipboard,
  5. Create a new connection with custom display settings and paste the IP address there. You can keep this generic connection to access the Test Kitchen instances, just update the IP address.
  6. Delete the automatically created connection

SSH into a Linux instance

ssh USER_NAME@IP_ADDRESS -i PATH_TO_THE SSH_KEY_FILE

Where

  • USER_NAME is the value of username: in the .kitchen.yml file.
  • IP_ADDRESS is the IP of the instance. Get it from the “Waiting for SSH service on…” line of the Test Kitchen bash or command window, or from the .yml file in the .kitchen/logs folder of the cookbook.
  • PATH_TO_THE_SSH_KEY_FILE is the value of ssh_key: in the .kitchen.yml file.

Terminate the instance

kitchen destroy STRING_UNIQUE_TO_THE_INSTANCE

Upload the cookbook to the Chef server

See Connect to the Chef server in Beginner’s Guide to DevOps Engineering part 4.

Next:

Infrastructure as code in Beginner’s Guide to DevOps Engineering part 6.

Back:

to the Tutorials page

DevOps Engineering part 4. – Connect to the Chef server

Find a Chef Server

To work in a corporate environment, your organization needs access to a Chef server.

To learn Chef and test your cookbooks for free, you can create an account on the “hosted” Chef server, maintained by the Chef company. The plan allows five nodes at a time, so you can even launch a small server farm for yourself. Another option is to launch your own Chef server (on-premises) and manage up to 25 nodes on it for free. That could be enough for a small organization to get started with automation. Please see the Chef web portal for more information at https://www.chef.io/

To use the “hosted” Chef server

To launch your own Chef server

Accessing the Chef Server

To access the Chef server you need a user account to log into the web interface and a key to access the server with command line tools, like knife.

Until you set up your workstation to access the Chef server, you will  get the following error message:

WARNING: No knife configuration file found
WARN: Failed to read the private key C:\chef\client.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - C:\chef\client.pem>
ERROR: Your private key could not be loaded from C:\chef\client.pem
Check your configuration file and ensure that your private key is readable

Create a user account on the Chef server

Register your username

  • Open the Chef server page in your web browser,
  • Click the Click here to get started! link to create a new account,
  • Enter your name, email address and username you want to use and click the Get Started button. The Chef server will send you an invitation email.

Verify your email address

  • Open the email Chef Notifications sent you and click the long link to verify your email address,
  • On the Email Verification page enter the password you want to use on the Chef server and click the Create User button,

Ask your Chef server administrator to invite you to an organization on the Chef server

The administrator

  • Using a web browser log into the Chef server user interface,
  • In the upper right corner select the organization to invite the user to,
  • On the Administration tab select Users on the left side,
  • Under Users click Invite,
  • Enter the username of the new registered user and click the Invite button

Accept the invite to the organization

  • Using a web browser log into the Chef server user interface,
  • On the Welcome to Chef, page click the Accept Invite button.
  • If you are already logged into the Chef server user interface, the upper right corner will show you the number of invitations you have received. Click the red number, then the message to accept the invitation,
  • Select the checkbox next to the organization you want to be part of and click the Accept button.
  • Click Close to dismiss the message window.

Download your key to access the Chef server

  • Using a web browser log into the Chef server user interface,
  • In the upper right corner click your name and select My Profile,
  • In the lower right click the Reset Key link,
  • Click the Download button to download your private .pem key file.

Save your key, you cannot download it again. When you generate a new key, the prior key will be deleted on the server.

Configure knife

The knife command is used to interact with the Chef server. Before you can connect to the Chef server we need to configure knife

  • Open a Bash window in your home directory: ~ on Mac, C:\Users\YOUR_USER_NAME on Windows
  • Execute 
    knife configure
  • Get the Chef server address from your administrator and answer the questions: 
    Please enter the chef server URL: https://CHEF_SERVER_URL/organizations/ORGANIZATION_NAME
Please enter an existing username or clientname for the API: YOUR_USER_NAME
Overwrite /Users/YOUR_USER_NAME/.chef/credentials?? (Y/N) Y
  • Get the chef_shell.rb and knife.rb from your administrator and place them at ~/.chef on Mac and C:\Users\YOUR_USER_NAME\.chef on Windows,
  • Replace the username placeholders with your username.

Save the key files on your workstation

  • Move the .pem Chef server private key file, you have downloaded during the Chef user registration, to the C:/Chef/.chef directory.
  • Get the VALIDATOR_FILE_NAME.pem file from your Chef server administrator and save it in the C:/Chef/.chef directory.

Test the Chef server connectivity

  • Open a Bash window in the folder of the cookbook at C:\Chef\cookbooks\test
  • Execute
knife cookbook list

to see the list of the available cookbooks on the Chef server.

Upload the cookbook to the Chef server

knife cookbook upload COOKBOOK_NAME --freeze

The –freeze option is the most important. It locks the cookbook on the Chef server so we are forced to increment the version before we upload a new version of the cookbook.

Next:

Create an enterprise cookbook in Beginner’s Guide to DevOps Engineering part 5.

Back:

to the Tutorials page

Permission denied message when you try to upload your new repository to GitHub from a Windows computer

If you work on a Windows computer and create a new GitHub repository, you can copy the code from the GitHub page to set the remote address and push the existing code to the GitHub server. You may get the following error message:

$ git push -u origin master
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Make sure you have selected the HTTPS button to see the correct lines for Windows.
github-01-create-repo

To change to address of the remote server execute the following
git remote set-url origin https://github.com/.....

DevOps Engineering part 3. – Working with AWS

Personalize your workstation

Set up your account in the AWS console

If you are not an AWS account administrator, ask your AWS account administrator to do the following for you

  • Create an account in AWS
  • Add the account to the appropriate user group
  • Generate a password with a request to change it at the first login
  • Generate an AWS Access Key ID and Secret Key
    • Using your browser log into the AWS console
    • In the upper right corner click your user id
    • In the drop down list select Security Credentials
    • On the left select Users
    • In the user list select you account
    • Select the Security Credentials tab
    • Click the Create Access Key button

AWS Command Line Interface

Install AWS CLI

On Macintosh

  • Open a terminal and execute 
    brew install awscli
  • For more instructions visit http://docs.aws.amazon.com/cli/latest/userguide/installing.htm

On Windows

  1. Open a Command Prompt as administrator
  2. Execute 
    choco install awscli
  3. Close the command prompt and open a new Git Bash to load the updated PATH environment variable.

or

  1. Download the MSI installer from http://docs.aws.amazon.com/cli/latest/userguide/installing.html#install-msi-on-windows
  2. Execute the downloaded file.
  3. Make sure the AWS CLI is in the PATH
    1. Open the  ~/.bashrec file in a text editor
    2. Add the line if missing 
      PATH=$PATH:/c/Program Files/AWSCLI/bin

Configuration

If you do not configure the AWS CLI you will get the following error message: ‘NoneType’ object has no attribute ‘get_frozen_credentials’

  1. Open a new Bash window, so it can find the newly installed AWS CLI
  2. Execute the following command to save your AWS credentials and default region in the ~.aws ( C:\Users\YOUR_USER_NAME\.aws in Windows ) folder. 
    aws configure
  3. Answer the questions 
    AWS Access Key ID [None]: YOUR AWS KEY
AWS Secret Access Key [None]: YOUR AWS SECRET KEY
Default region name [None]: us-east-1
Default output format [None]: HIT ENTER FOR NONE

Close and reopen all open Bash and Command windows to reload the changed Path environment variable.

The configure command created the .aws folder with two files.

On Macintosh

Your AWS configuration folder is located at ~/.aws

Set the permissions on the folder

  • Open a terminal window and execute 
    chmod -R 700 ~/.aws
  • The result should be




On Windows


Your AWS configuration folder is located at C:\Users\YOUR_USER_NAME\.aws




Your  credentials file will look like this


[default]
 aws_access_key_id = MY_ACCESS_KEY
 aws_secret_access_key = MY_SECRET_KEY


Test Kitchen will use the keys from the [default] section to connect to AWS when we launch instances.


When you work with multiple AWS accounts you can add all of your keys to the credentials file. To use a specific key, add the profile option to your command line instructions. If you don’t specify the profile in your AWS commands, the AWS Command Line Interface will use the key from the default section.


[aws01]
 aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
 aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01

[aws02]
 aws_access_key_id = MY_ACCESS_KEY_FOR_AWS02
 aws_secret_access_key = MY_SECRET_KEY_FOR_AWS02

[default]
 aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
 aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01




The config file will look like this. If you don’t specify the region in the AWS command, the AWS Command Line utility will use the region from this file.


[default]
region = us-east-1




Collect the following information to be able to launch an instance in AWS


    

  • Your IAM user name
    • 

  • AWS Access Key and Secret Key
    • 

  • Region (us-east-1)
    • 

  • Availability zone (b)
    • 

  • VPC subnet ID
    • 

  • Security group ID
    • 

  • AWS key pair file
    • 

  • AMI ID
    • 





Create a folder to store your private keys


Keep your private keys in a folder in your home directory. You will need them to launch servers, and log into Linux servers with SSH, or retrieve the administrator password for Windows servers.


On Macintosh


Create the folder ~/aws_keys


Set the permissions on the folder key folder too


    

  • Open a terminal window and execute

    chmod -R 700 ~/aws_keys
    

    • 

  • The result should be
    

    • 



If you copy key files to the folder you may get the following error message:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0755 for ‘/Users/YOUR_USERNAME/.aws/KEY_FILE_NAME.pem’ are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key “/Users/YOUR_USERNAME/.aws/KEY_FILE_NAME.pem”: bad permissions USERNAME@SERVER_IP’s password: Permission denied, please try again.


To satisfy the security requirements set the permission on the key files to 700


chmod -R 700 ~/.aws/KEY_FILE_NAME.pem


On Windows


Create the folder C:\Users\YOUR_USER_NAME\aws_keys




Generate an AWS key pair


    

  • Log into the AWS console
    • 

  • Select EC2
    • 

  • Under Network & Security select Key Pairs
    • 

  • In the upper right corner select the region
    • 

  • Click the Create Key Pair button
    
Create your key pair with the following naming scheme:
    
userid_accountname_region
    
For example: USERID_aws01_us_east_1
    • 

  • Your browser automatically downloads the .pem private key file. Move it to and save it in the ~aws_keys (C:\Users\YOUR_USER_NAME\aws_keys on Windows) directory you created above during the AWS CLI configuration.
    • 



For more info visit Amazon EC2 Key Pairs


Set up your .kitchen.yml file


When you have created your cookbook, Chef already added a .kitchen.yml file that tells Test Kitchen how to launch a server instance on your workstation.


The default .kitchen.yml file only contains driver and provisioner information for Vargrant. To launch a server instance in AWS we need to add AWS specific instructions to the file. First modify the .kitchen.yml file to be ready for other drivers:


---
provisioner:
  name: chef_zero

verifier:
  name: inspec

platforms:
  - name: ubuntu-16.04
    driver:
      name: vagrant

  - name: centos-7.2
    driver:
      name: vagrant

suites:
  - name: default
    run_list:
      - recipe[test::default]
    verifier:
      inspec_tests:
        - test/recipes
    attributes:



Make sure the empty lines are really empty. The .kitchen.yml file should not have white space in a seemingly empty line.




Next:


Connect to the Chef server in Beginner’s Guide to DevOps Engineering part 4.


Back:


to the Tutorials page

	


	





	

		
List the installed Windows Features on the Windows server with PowerShell
	


	
	

		
When you set up a new Windows server and want to make sure all necessary Windows features are installed on it, you can list them in text format. If you want to replicate the configuration of an existing server, just list the features of both servers and compare them in a comparison tool, like Araxis Merge.


To list the installed Windows features, execute the following in the PowerShell prompt


get-windowsfeature


The result follows the layout of the checkboxes of the graphical user interface in text form.


[X] Web Server (IIS)         Web-Server                 Installed
   [X] Web Server            Web-WebServer              Installed
   [X] Common HTTP           Features Web-Common-Http   Installed
   [X] Default Document      Web-Default-Doc            Installed
   [X] Directory Browsing    Web-Dir-Browsing           Installed
   [X] HTTP Errors           Web-Http-Errors            Installed
   [X] Static Content        Web-Static-Content         Installed
   [X] HTTP Redirection      Web-Http-Redirect          Installed
   [ ] WebDAV Publishing     Web-DAV-Publishing         Available




To produce a simpler output execute


Dism /online /Get-Features


This will return


Deployment Image Servicing and Management tool
Version: 6.3.9600.17031

Image Version: 6.3.9600.17031

Features listing for package : Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384

Feature Name : NetFx4ServerFeatures
State : Enabled

Feature Name : NetFx4
State : Enabled

Feature Name : NetFx4Extended-ASPNET45
State : Disabled

	


	





	

		
Remove Policyfile.rb from your Chef cookbook
	


	
	

		
When you test your cookbook in Chef Test Kitchen and get the following error, delete the “Policyfile.rb” from your Chef cookbook directory.


$$$$$$ You must set your run_list in your policyfile instead of kitchen config. The run_list your config will be ignored.
$$$$$$ Ignored run_list: ["recipe[...::...]"]
       Preparing dna.json
       Exporting cookbook dependencies from Policyfile /tmp/...
       Error: Invalid lockfile data
       Reason: (ChefDK::DependencyConflict) Cookbook ... (...) has dependency constraints that cannot be met by the existing cookbook set:
       Cookbook ... isn't included in the existing cookbook set.

	


	





	

		
Chef Data Bags
	


	
	

		
Create an encrypted Chef data bag


There are secrets in most of the Chef cookbooks that we want to protect. We don’t want to give out user names, passwords and AWS keys.  In Chef the best place to hide these secrets is the Encrypted Data Bag.


A Data Bag is a JSON file that we can encrypt, so we can store it in version control with the rest of the cookbook.


To make  continuous integration and delivery (CI/CD) easier, store the Encrypted Data Bags in the cookbook folder structure and commit them together with the rest of the cookbook into version control (Git)


To make sure the unencrypted secret is not committed into version control, add the following line to the  .gitignore file


# Ignore the unencrypted Data Bags
data_bags_unencrypted/


The structure of Chef folder should look like this. Store the unencrypted Data Bags with the original values in the data_bags_unencrypted folder




Create a folder for the unencrypted Data Bag and create a file for the Data Bag Item. The name of the file and the value of the id element should be the same.




Enter the Data Bag Item values and save the file.


{
 "id": "access_key",
 "AccessKey": "XXXXX",
 "SecretKey": "YYYYY"
}


Automate the data bag encryption


Create the folder structure


    

  1. Create a folder for data bag related files on the same level as the cookbooks folder. Name it data_bags
    

    

    2. 

  2. Get the data bag encryption secret file from your Chef server administrator and place it in the data_bags_unencrypted  folder.
    

    3. 

  3. Create a folder for Chef related scripts on the same level as the cookbooks folder. Name it devops-chef-scripts
    

    4. 



Create the automation script


Create the following script and name it encrypt_databag.sh. This script


    

  1. Encrypts the Data Bag,
    2. 

  2. Uploads the encrypted data bag to the Chef server,
    3. 

  3. Saves the encrypted data bag in the data_bags folder on your workstation.
    4. 



Replace >>>MY_ENCRYPTED_DATABAG_SECRET<<< with the name of the encrypted data bag secret file.


#!/bin/bash
if [ -z $1 ] || [ -z $2 ]
then
	echo "Please supply the arguments: DATABAG_NAME ITEM_NAME"
	echo "../devops-chef-scripts/encrypt_databag.sh [DATA_BAG_NAME/NAME OF THE FOLDER] [ITEM_NAME/ID]"
else

  echo -- knife data bag create $1
  knife data bag create $1

  # Encrypt the databag and upload it to the Chef server
  echo -- knife data bag from file $1 $1/$2.json --secret-file ../data_bags_unencrypted/>>>MY_ENCRYPTED_DATABAG_SECRET<<<
  knife data bag from file $1 $1/$2.json --secret-file ../data_bags_unencrypted/>>>MY_ENCRYPTED_DATABAG_SECRET<<<

  # Create a directory for the encrypted databag on the workstation
  echo -- mkdir -p ../data_bags/$1
  mkdir -p ../data_bags/$1

  # Download the encrypted data bag
  echo -- knife data bag show $1 $2 -F json 'to' ../data_bags/$1/$2.json
  knife data bag show $1 $2 -F json > ../data_bags/$1/$2.json

  echo "Encrypted data bag has been created at ../data_bags/"$1"/"$2".json"

fi

echo -n "Press a key to exit"	#'-n' means do not add \n to end of string
read              		# No arg means dump next line of input



Add execution right to the file


chmod +x ./encrypt_databag.sh


Encrypt the data bag


Open a Bash window in the data_bags_unencrypted folder


Execute the following command, where


DATA_BAG_NAME is the name of the data bag folder

ITEM_NAME is the value of the id element and the item file name without the ‘.json’ extension,


../devops-chef-scripts/encrypt_databag.sh DATA_BAG_NAME ITEM_NAME


The script will create a folder for the Data Bag in the “data_bags” folder and save the encrypted Data Bag file in it.


The following warning is normal. We did not want to unencrypt the data bag, just download the encrypted version.


WARNING: Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.


Troubleshooting


If you get the error message


ERROR: The object you are looking for could not be found

Response: Cannot load data bag item … for data bag …


make sure you set the name of the data bag item file without the .json extension and the value of the id element the same.